Month: January 2020

NEW TOOLSApplication SecurityOwasp RAFRiskAssessmentFrameworkStatic Application Security Tool

RiskAssessmentFramework – Static Application Security Testing

The OWASP Risk Assessment Framework consist of Static application security testing and Risk Assessment tools, Eventhough there are many SAST tools available for testers, but the compatibility and the Environement setup process is complex. By using OWASP Risk Assessment Framework's Static Appilication Security Testing tool Testers will be able to analyse and review their code quality and vulnerabilities without any additional setup. OWASP Risk Assessment Framework can be integrated in the DevSecOps toolchain to help developers to write and produce secure code.featuresRemote Web Deface…

NEW TOOLSBrute-forceCertificate transparency logsTransparency LogsDNS lookupCertificate TransparencyBulk DNSDNS BruteforcerDNS ResolutionDNS resolverMassDNS

MassDNS – A High-Performance DNS Stub Resolver For Bulk Lookups And Reconnaissance (Subdomain Enumeration)

MassDNS is a simple high-performance DNS stub resolver targetting those who seek to resolve a massive amount of domain names in the order of millions or even billions. Without special configuration, MassDNS is capable of resolving over 350,000 names per second using publicly available resolvers.Major changesThis version of MassDNS is currently experimental. In order to speed up the resolving process, the ldns dependency has been replaced by a custom stack-based DNS implementation (which currently only supports the text representation of the most common DNS…

NEW TOOLSgolangAWSamazon s3S3Enum

S3Enum – Fast Amazon S3 Bucket Enumeration Tool For Pentesters

s3enum is a tool to enumerate a target's Amazon S3 buckets. It is fast and leverages DNS instead of HTTP, which means that requests don't hit AWS directly.It was originally built back in 2016 to target GitHub.InstallationBinariesFind the binaries on the Releases page.Gogo get need to specify the base name of the target (e.g. hackerone), and a word list. You could either use the example wordlist.txt file from this repository, or get a word list elsewhere. Optionally, you could specify the number of…

NEW TOOLSJavaScriptCrawlingCrawlerParameterBurpSSRFSee-SURF

See-SURF – Python Based Scanner To Find Potential SSRF Parameters

A Python based scanner to find potential SSRF parameters in a web application.MotivationSSRF being one of the critical vulnerabilities out there in web, I see there was no tool which would automate finding potential vulnerable parameters. See-SURF can be added to your arsenal for recon while doing bug hunting/web security testing.Tech/framework usedBuilt withPython3FeaturesTakes burp's sitemap as input and parses and parses the file with a strong regex matches any GET/POST URL parameters containing potentially vulnerable SSRF keywords like URL/website etc. Also, checks the parameter…

NEW TOOLSBurpBlind SQL InjectionSQL Injection ExploitationBlinderTime-Based Blind SQL Injection

Blinder – A Python Library To Automate Time-Based Blind SQL Injection

Blidner is a small python library to automate time-based blind SQL injection by using a pre defined queries as a functions to automate a rapid PoC development.InstallationYou can install Blinder using the following command:pip install blinderOr by downloading the source and importing it manually to your project.UsageTo use blinder you need to import Blinder module then start using the main functions of Blinder.You can use Blinder "with the current version" to do the following:Check for time based injection.Get database name.Get tables names.You can check…

NEW TOOLSParameterAndroid ApplicationCommand LineBlack boxObfuscapk

Obfuscapk – A Black-Box Obfuscation Tool For Android Apps

Obfuscapk is a modular Python tool for obfuscating Android apps without needing their source code, since apktool is used to decompile the original apk file and to build a new application, after applying some obfuscation techniques on the decompiled smali code, resources and manifest. The obfuscated app retains the same functionality as the original one, but the differences under the hood sometimes make the new application very different from the original (e.g., to signature based antivirus software).DemoArchitectureObfuscapk is designed to be modular and easy…


Cameradar – Hack RTSP Video Surveillance CCTV Cameras

Cameradar is a Go-based tool to hack RTSP Video Surveillance CCTV Cameras, it can detect open RTSP hosts, detect device models and launch automated attacks. The main features of Cameradar are: Detect open RTSP hosts on any accessible target host Detect which device model is streaming Launch automated dictionary attacks to get their stream route (e.g.: /live.sdp) Launch automated dictionary attacks to get the username and password of the cameras Retrieve a complete and user-friendly report of the results Using Cameradar to Hack RTSP…

Kali LinuxNEW TOOLSDistroKaliPenetration Testing DistributionPentesting Distribution

Kali Linux 2020.1 Release – Penetration Testing and Ethical Hacking Linux Distribution

We are incredibly excited to announce the first release of 2020, Kali Linux 2020.1.2020.1 includes some exciting new updates:Non-Root by defaultKali single installer imageKali NetHunter RootlessImprovements to theme & kali-undercoverNew toolsNon-RootThroughout the history of Kali (and its predecessors BackTrack, WHAX, and Whoppix), the default credentials have been root/toor. This is no more. We are no longer using the superuser account, root, as default in Kali 2020.1. The default user account is now a standard, unprivileged, user.root/toor is dead. Long live kali/kali.NetHunter ImagesThe mobile pen-testing…

NEW TOOLSPython ScriptPythonAESObfuscate

PythonAESObfuscate – Obfuscates A Python Script And The Accompanying Shellcode

Pythonic way to load shellcode. Builds an EXE for you too!UsagePlace a payload.bin raw shellcode file in the same directory. Default Architecture is x86run python obfuscate.pyDefault output is out.pyRequirementsWindowsPython 2.7PyinstallerPyCrypto (PyCryptodome didn't seem to work)Download PythonAESObfuscate